This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CVE-2021-44228 Log4j

Hi,

Is Sentinel 8 products vulnerable to the CVE-2021-44228
What is the Patch Release Program or Mitigation for the topic?    

Thanks

Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • 0

    Hi Pascal,

    This is logged with engineering already, under bug:
    OCTCR33H388003 CVE-2021-44228 (Log4j 2 Vulnerability)


    This same query has come in from many different customers, for different Micro Focus products, not just Sentinel (and Change Guardian if you use that).


    We have upgraded log4j to 2.14.1 in Sentinel 8.6. But it seems this vulnerability is present in 2.14.1 also so, we will update to the next latest version in 8.6.

    Regarding the vulnerability, we will do the analysis whether Sentinel is impacted with this vulnerability or not.


    You can always log this with support services.


    Regards,


    Henk Tjalsma

  • 0 in reply to 

    Thanks Henk

    Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

  • Suggested Answer

    0  

    Hi all,

    please find an official statement here and a security bulletin with regular updates and affected products here.

    Hope that helps,

    MS

    Sr. Product Line Manager |  ArcSight Threat Intelligence
    OpenText Cybersecurity

  • 0

    I saw the KM document ,

    Log4j vulnerability and Sentinel (microfocus.com)

    but about step-5 , I am confused.

    because appliance has no zip command it has bip and gzip ...but no zip command.

    and even I use gzip instead of gip....it show permission denied.

    I switch to root , it show no such file.

    wencheng

  • 0 in reply to 

    Hi All 

        the zip command indeed not exist on SLES OS...

    I download zip package from opensuse and install

    the step-5 could run well. other step seem no problem.

    Wencheng

  • 0 in reply to 

    zip-3.0-16.3.1.x86_64.zip

    True Wencheng. You managed to retrieve it anyway, but I've just enclosed it here.

    Now, we have not validated any of the old versions, as we mentioned in the document, we have verified only Sentinel 8.4 and 8.5 versions as of now.

    These mitigation steps have been validated for Sentinel versions 8.4 and 8.5. We are in the process of certifying this with other versions and will update this bulletin.”

     

    Please find the attached zip rpm for the installation.

     

    Command to install :

    rpm -Uvh zip-3.0-16.3.1.x86_64.rpm

    Hope this helps.

    Thanks,

    Henk Tjalsma

  • 0 in reply to 

    Thank Henk

         this procedure tested 8.2.3 & 8.5....it should be work fine.

    Wencheng